In February 1971 Banco Bilbao Vizcaya Argentaria, better known as BBVA, launched Spain’s first credit card. Fifty years later the bank remains at the forefront of innovation, with more than half of its customers using digital channels. But as digitisation has progressed, so too have the cybersecurity threats facing BBVA. Tech Monitor spoke to Álvaro Garrido, BBVA’s chief security officer, about the bank’s ‘security operations centre of the future’, its cloud-based security analytics platform, and how AI will help in the fight against Advanced Persistent Threats (APTs).
Digital transformation at BBVA
BBVA is the second-largest bank in Spain and a major player in the global financial services sector, with more than 56 million active customers across 35 countries. The bank’s business has digitised rapidly in the past five years: in 2020, 35.6 million of its customers used digital products and services, double the figure in 2015.
This digitisation has been accompanied by an increase in the volume and sophistication of cybersecurity threats. “We’re past the first phase of [cyber] security, where it was just a game for kids wearing hoodies committing opportunistic crimes and petty theft,” says Garrido, who has been with BBVA for three years. “We’re in the second phase now and it’s very, very intense. There’s more organised crime involvement and the stakes are getting higher.”
The threat from state-backed actors has also grown. “We’re starting to see a lot more activity in these state-sponsored units,” Garrido says. “Their orientation is often slightly different, targeting intellectual property. More automation and robotics are being used.”
Covid-19 has accelerated the digitisation of banking – one report recorded a 200% surge in the use of mobile banking in April 2020 as the pandemic took hold – and has provided opportunities for cybercriminals to exploit the fears of their targets. “You get these links on your social media saying ‘click here to get some information on when you’ll get your Covid-19 vaccine’, or things like this,” says Garrido. “That’s where training of employees and customers becomes really important, because it doesn’t matter what kind of technology you have; if someone decides to click on a link you’ve got a problem.”
BBVA’s cybersecurity strategy
The growing intensity and sophistication of cybersecurity threats have challenged BBVA CSO Garrido and his team to keep pace. Garrido oversees the bank’s anti-fraud and physical security efforts, and this vantage point has proved the necessity of having a holistic view of the bank’s security posture.
“It’s often the case that crime will start in the digital world but have a physical component to their attack, or you might have physical criminals trying to use the network of the bank to do bad stuff,” he says. “The digital attack surface has massively multiplied, while things like ATMs remain very attractive for criminals, and we’re protecting our employees all around the world [working remotely] in very different social situations, so the game has got a lot more difficult.
But achieving this view is easier said than done – “the challenge for us becomes knowing what to monitor”, says Garrido – and though the company started to build its own tools to log and analyse different types of information, Garrido and his team soon decided they would need far greater visibility of BBVA’s entire digital environment.
“It became apparent we needed to massively multiply the amount of data we received,” he says. “That’s on an infrastructure level, looking at things like operating systems and applications, but also going up the stack and looking at the financial activity of our customers. You need a system that can handle this huge amount of data and allow you to store it for enough time to perform proper forensic analysis and detect trends relating to APTs.”
You need a system that can handle this huge amount of data and allow you to store it for enough time to perform proper forensic analysis and detect trends relating to APTs.
That prompted BBVA to develop what it called its ‘security operations centre of the future’, where its staff will work on developing new ways to thwart attacks that can be deployed quickly and at scale. It is built on Chronicle, Google Cloud’s security platform that allows users to store and rapidly search vast amounts of security data, as well as flagging up potential problems.
“I wanted to ensure the sustainability of our security provision and take it to the next level,” Garrido says. “That’s what Chronicle is doing for us, addressing the massive amounts of storage we need.” He adds that the system’s automated preparation of data leaves his staff with more time to focus on the threats the bank faces. “We’re able to take our hands off the preparation and labelling of data, it is injected directly into Chronicle and we can run intelligent queries on top of that,” he says.
Customers are already feeling the benefits of the change, with the new system able to automatically block potential skimming attacks, where credit card details are stolen by scammers who have infiltrated a retailer’s payment infrastructure. Previously, stopping these attacks was a slow and laborious process for BBVA but “we’re now able to detect a compromised point-of-sale in a high street shop and automatically rewrite the rules in our anti-fraud engine to block transactions from that point-of-sale and any compromised credit cards,” Garrido explains.
The new system is also helping when it comes to online transactions, enabling swift analysis of the IP addresses of people using BBVA’s digital channels, to detect potentially suspicious activity. “[The new system] gives us the ability to correlate multiple data points and do proper forensics,” Garrido adds. “This kind of integration is becoming the norm in the financial industry.”
BBVA is the first bank in Europe to deploy Chronicle, and Garrido says it plans to work with Google to develop algorithms that will help it spot the tell-tale signs of cyber-attacks before they take hold and hit customers in the pocket. “APTs are launching very sophisticated attacks, and across the industry you can see that right now it can take days or weeks to find out what’s really going on,” he says. “We want to be in a position where we can fight back much earlier, and give ourselves some time to segregate and circumvent the attack. In security no single thing can fix your life – there’s no magic wand – but you can buy yourself time to do other things.”